CVE-2026-23611 GFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to...

CVE-2025-71240

SPIP before 4.2.15 allows Cross-Site Scripting XSS via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser...

CVE-2026-25940 jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user ca...

CVE-2019-25429

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpnadvanced endpoint. Attackers can inject JavaScript code through the GLOBALNETWORKS and GLOBALDNS parameters via POST...

CVE-2019-25429

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpnadvanced endpoint. Attackers can inject JavaScript code through the GLOBALNETWORKS and GLOBALDNS parameters via POST...

CVE-2019-25407

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. Attackers can send POST requests to the backupschedule endpoint with JavaScript code in the BACKUPRCPT...

CVE-2019-25408

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmaskaddr parameter. Attackers can send POST requests to the netwizard2 endpoint with script payloads in the netmaskaddr...

CVE-2019-25403

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. Attackers can inject JavaScript code through the adminprofiles endpoint that executes in the browse...

CVE-2019-25430

Comodo Dome Firewall 2.7.0 is affected by a reflected XSS in the vpn_users endpoint. An unauthenticated attacker can submit crafted input in the username parameter via a POST request to trigger arbitrary JavaScript in a victim’s browser. CVSS v4.0 and v3.1 vectors are provided, with base scores o...

CVE-2019-25429 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via openvpn_advanced

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpnadvanced endpoint. Attackers can inject JavaScript code through the GLOBALNETWORKS and GLOBALDNS parameters via POST...

CVE-2019-25408

CVE-2019-25408 : Comodo Dome Firewall 2.7.0 has a reflected cross-site scripting vulnerability in the netwizard2 endpoint, via the netmask_addr parameter. An attacker can send crafted POST input to inject JavaScript into users’ browsers, triggering the attack without authentication. Reported CVSS...

CVE-2019-25407

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. Attackers can send POST requests to the backupschedule endpoint with JavaScript code in the BACKUPRCPT...

PT-2026-20890

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4 Description GFI MailEssentials AI versions before 22.4 have a stored cross-site scripting issue in the POP2Exchange configuration. A logged-in user can inject HTML or JavaScript into the POP3 server...

Cross-site Scripting (XSS)

Overview librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the alertrulelist.inc.php process. An attacker can execute arbitrary JavaScript code in...

CVE-2026-27176

MajorDoMo (Major Domestic Module) has a reflected XSS in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting ...

CVE-2026-1437 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

PT-2026-20393

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

PT-2026-20245

Name of the Vulnerable Software and Affected Versions IBM Concert versions 1.0.0 through 2.1.0 Description The IBM Concert Z hub framework is susceptible to cross-site scripting. An unauthenticated attacker can inject arbitrary JavaScript code into the Web UI, potentially modifying the intended...

CVE-2019-25387

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the xtaccess.cgi endpoint. Attackers can inject script payloads through the EXT, DESTPORT, or...

CVE-2019-25388

Smoothwall Express 3.1-SP4-polar-x8664-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the ipblock.cgi endpoint. Attackers can inject script tags through the SRCIP and COMMENT paramete...